Morning Edition · Sunday, July 12, 2026Published at 1:29 AM EDT · New York
Oracle Flaw Drains $9 Million From Hedera's Largest Lender, With $5.25 Million Bridged to Ethereum
The attacker pledged 250 SAUCE tokens worth a few dollars, submitted a price inflated by about twelve orders of magnitude, and borrowed millions after a Supra verifier accepted a signature that resolved to zero.

Bonzo Lend, the largest decentralized lender on the Hedera network, lost approximately 9.05 million dollars after an attacker exploited a verification flaw in a third-party Supra oracle contract, CoinDesk reported. The mechanism was price manipulation. The attacker deposited 250 SAUCE tokens, worth only a few dollars, then submitted a manipulated price update that inflated the token's value by roughly twelve orders of magnitude. Against that fictitious collateral they borrowed about 6.6 million dollars in USD Coin (USDC) and 34.5 million Wrapped HBAR.
The root cause was cryptographic, not economic. Bonzo said the Supra verifier approved the malicious submission because both the signature point and the referenced committee public key resolved to zero, so the signature check returned a valid result on an input that should have failed. Supra has acknowledged the issue and deployed a fix to the verifier contract on Hedera mainnet. Hedera's total value locked fell by nearly 40 percent in 24 hours and Bonzo's by 77 percent, and the attacker bridged more than 5.25 million dollars to Ethereum, which complicates recovery.
The incident is one of a steady series of smaller thefts catalogued by Rekt News, whose recent list includes losses at BonkDAO, Summer Finance, SecondFi, Secret Network, and an Aztec bridge. The common pattern across the larger events is not a new class of exploit but the repeated failure to validate a single trusted input, the price feed, before funds move.
What this means
Oracle and verifier logic remains the highest-impact attack surface in lending markets, because a single accepted bad price converts a few dollars of collateral into millions in loans, and the exposed parties are depositors and the bridges that carry stolen funds onward. The channel is contagion through composability. When the manipulated value is borrowed and then bridged, losses concentrated at one protocol propagate into whichever chain receives the assets, here Ethereum, where freezing is harder.
What to watch
- Whether Supra or Bonzo can attribute or freeze the bridged funds, which determines if any of the 9 million dollars is recoverable.
- How many other lenders depend on the same Supra verifier design, since the zero-signature acceptance flaw could recur wherever that check is reused.
Observations to monitor, not financial advice.
Part of a tracked trend
Bridge and Mint Exploits Sustain Heavy DeFi Losses
Over 3-6 months, recurring bridge proof-validation and unauthorized-mint exploits keep monthly DeFi losses elevated, including drains of deprecated contracts.
More from this edition
- Ethereum Foundation Patches AI-Found Validator Crash, Says Sorting Real Bugs From Noise Is the Hard Part
- Senate to Release Unified Crypto Market-Structure Draft With Three Weeks Left Before Recess
- Aztec Details How Its Layer-2 Hides Sender, Receiver, and Amount While Still Proving Validity
- Miden Pitches Selective Disclosure, Reviving the Fight Over Who Holds Privacy's Off Switch
- Ripple Wins Full EU Crypto License in Luxembourg as MiCA's Transition Period Closes
- Robinhood's New Layer-2 Processes 7.6 Million Daily Transactions, Narrowing the Gap With Base
- Ethereum Researcher Flags Sybil Weakness in a Leading Censorship-Resistance Design
- Circle Wins US Trust-Bank Charter That Custodies Reserves but Cannot Take Deposits or Lend
- Hong Kong Builds Gold and Yuan Settlement Network Designed to Bypass Dollar Stablecoins
- Bitcoin Treasury Firm Empery Digital Sells About Half Its Bitcoin to Fund AI Data Centers
- Tokenized Stocks Gain Users as Robinhood's On-Chain Equities Pass 40,000 Holders